How much danger happen if I expose my consumer secret

security
oauth
api

#1

I want to use twitter REST API on pure web app. For the authenticate I could use firebase to get both accessToken and secretToken. And that work fine without creating my own server

But all other API need to have oauth_signature. And I just don’t want to create proxy server. Instead I could calculate it on client

But as you can see, it need to put consumer secret in javascript code

So I would like to know is it break any policy or make a very huge risk of security?
What I know is if I expose consumer secret, some user might use my secret to call REST API directly when they got secrete access token. But then it just the same level as facebook so I think that’s fine


#2

If you expose your tokens, the risk is that they may be used by others. The impact to you may be that they use your rate limit allocation, so that you can no longer call the API as you wish; and/or that another app may abuse the API, resulting in your account or tokens being suspended (which would not be the fault of your app, but it could be an unwelcome result for you).


#3

Thing is, I would not expose app secret token. just only consumer secret token. So by the workflow it should be constrainted by per user rate limit, isn’t it?